puppet-acme_vault/files/check_cert.sh

#!/bin/bash

# this script compares the existing cert against the new cert in vault, and
# replaces existing cert only if it is newer and valid.

# TODO serious refactoring to apply DRY 
# TODO help / argument checking
# TODO need a force flag - also something that checks if all things match

# function defs
get_fingerprint() {
    openssl x509 -noout -fingerprint -in <(echo "$1") | awk -F= '{print $2}'
}

get_enddate() {
    date --date="$(openssl x509 -noout -enddate -in <(echo "$1")| awk -F= '{print $2}')" --iso-8601
}

deploy_cert() {
    NEWCERT=$1
    NEWKEY=$2
    NEWCHAIN=$3
    NEWFULLCHAIN=$4
    EXISTING_CERT_PATH=$5
    EXISTING_KEY_PATH=$6
    EXISTING_CHAIN_PATH=$7
    EXISTING_FULLCHAIN_PATH=$8
    
    echo "deploying cert to $EXISTING_CERT_PATH"
    echo "$NEWCERT" > "$EXISTING_CERT_PATH"
    echo "$NEWKEY"  > "$EXISTING_KEY_PATH"
    echo "$NEWCHAIN"  > "$EXISTING_CHAIN_PATH"
    echo "$NEWFULLCHAIN"  > "$EXISTING_FULLCHAIN_PATH"

}

# arguments
DOMAIN=$1
CERT_PREFIX=$2
EXISTING_CERT_DIR="${CERT_PREFIX}/${DOMAIN}"
EXISTING_CERT_PATH="${EXISTING_CERT_DIR}/cert.pem"
EXISTING_KEY_PATH="${EXISTING_CERT_DIR}/cert.key"
EXISTING_CHAIN_PATH="${EXISTING_CERT_DIR}/chain.pem"
EXISTING_FULLCHAIN_PATH="${EXISTING_CERT_DIR}/fullchain.pem"

# variables
TODAY=$(date --iso-8601)
# use VAULT_BIN if defined, otherwise, assume /usr/local/bin/vault
: "${VAULT_BIN:=/usr/local/bin/vault}"


NEWCERT_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/cert.pem"
NEWKEY_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/cert.key"
NEWCHAIN_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/chain.pem"
NEWFULLCHAIN_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/fullchain.pem"

# Get new cert info
NEWCERT=$($VAULT_BIN kv get -field=value "$NEWCERT_VAULT_PATH") || exit 1
NEWKEY=$($VAULT_BIN kv get -field=value "$NEWKEY_VAULT_PATH") || exit 1
NEWCHAIN=$($VAULT_BIN kv get -field=value "$NEWCHAIN_VAULT_PATH") || exit 1
NEWFULLCHAIN=$($VAULT_BIN kv get -field=value "$NEWFULLCHAIN_VAULT_PATH") || exit 1
NEWCERT_FINGERPRINT=$(get_fingerprint "$NEWCERT")
NEWCERT_ENDDATE=$(get_enddate "$NEWCERT")

# we need to bail right away if we don't have a valid new cert
if [ "$NEWCERT_FINGERPRINT" == "" ]
then
    echo "no valid new cert found!"
    exit 1
fi

#echo "new fingerprint: $NEWCERT_FINGERPRINT"
#echo "new enddate: $NEWCERT_ENDDATE"

# Get existing cert info if it exists.  if it doesn't exist, we don't need to
# check it, we can just deploy.

if [ -e "$EXISTING_CERT_PATH" ]
then 
    EXISTING_CERT=$(cat "$EXISTING_CERT_PATH")
    EXISTING_CERT_FINGERPRINT=$(get_fingerprint "$EXISTING_CERT")
    EXISTING_CERT_ENDDATE=$(get_enddate "$EXISTING_CERT")
else
    # create destination dir if needed
    if [ ! -d "$EXISTING_CERT_DIR" ]
    then 
        mkdir -p "$EXISTING_CERT_DIR"
    fi
    deploy_cert "$NEWCERT" "$NEWKEY" "$NEWCHAIN" "$NEWFULLCHAIN" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH" "$EXISTING_CHAIN_PATH" "$EXISTING_FULLCHAIN_PATH"
    exit 0
fi

#echo "existing fingerprint: $EXISTING_CERT_FINGERPRINT"
#echo "existing enddate: $EXISTING_CERT_ENDDATE"


# check that new cert is different
# if it is the same, exit normally, this will be the common case
if [ "$NEWCERT_FINGERPRINT" == "$EXISTING_CERT_FINGERPRINT" ]
then
    exit 1
fi

# check that new cert is newer than current cert
if [ "$EXISTING_CERT_ENDDATE" \> "$NEWCERT_ENDDATE" ]
then
    echo "existing cert expiration is older, exiting"
    exit 1
fi

# check that new cert is not expired
if [ "$NEWCERT_ENDDATE" \< "$TODAY" ]
then
    echo "new cert is expired, exiting"
    exit 1
fi

# if we made it this far, the cert looks good, replace it

deploy_cert "$NEWCERT" "$NEWKEY" "$NEWCHAIN" "$NEWFULLCHAIN" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH" "$EXISTING_CHAIN_PATH" "$EXISTING_FULLCHAIN_PATH"
add deploy class, check_cert.sh, cron setup 2018-02-26 18:01:25 +00:00			`#!/bin/bash`

			`# this script compares the existing cert against the new cert in vault, and`
			`# replaces existing cert only if it is newer and valid.`

update acme_vault repo - Aug-8-2019 2019-08-08 16:01:55 +00:00			`# TODO serious refactoring to apply DRY`
			`# TODO help / argument checking`
			`# TODO need a force flag - also something that checks if all things match`

add deploy class, check_cert.sh, cron setup 2018-02-26 18:01:25 +00:00			`# function defs`
			`get_fingerprint() {`
			`openssl x509 -noout -fingerprint -in <(echo "$1") \| awk -F= '{print $2}'`
			`}`

			`get_enddate() {`
			`date --date="$(openssl x509 -noout -enddate -in <(echo "$1")\| awk -F= '{print $2}')" --iso-8601`
			`}`

add better checking in check_cert.sh 2018-02-27 16:10:51 +00:00			`deploy_cert() {`
			`NEWCERT=$1`
			`NEWKEY=$2`
update acme_vault repo - Aug-8-2019 2019-08-08 16:01:55 +00:00			`NEWCHAIN=$3`
			`NEWFULLCHAIN=$4`
			`EXISTING_CERT_PATH=$5`
			`EXISTING_KEY_PATH=$6`
			`EXISTING_CHAIN_PATH=$7`
			`EXISTING_FULLCHAIN_PATH=$8`
add better checking in check_cert.sh 2018-02-27 16:10:51 +00:00
			`echo "deploying cert to $EXISTING_CERT_PATH"`
Improve docs, scripts, and source .bashrc in cron - Added comprehensive documentation for all Puppet classes - Applied bash linting and made minor improvements to check_cert.sh - Updated domain issue cron to source the .bashrc file - Implemented small changes to address Puppet linting issues 2023-04-12 18:51:15 +00:00			`echo "$NEWCERT" > "$EXISTING_CERT_PATH"`
			`echo "$NEWKEY" > "$EXISTING_KEY_PATH"`
			`echo "$NEWCHAIN" > "$EXISTING_CHAIN_PATH"`
			`echo "$NEWFULLCHAIN" > "$EXISTING_FULLCHAIN_PATH"`
add better checking in check_cert.sh 2018-02-27 16:10:51 +00:00
			`}`

add deploy class, check_cert.sh, cron setup 2018-02-26 18:01:25 +00:00			`# arguments`
			`DOMAIN=$1`
			`CERT_PREFIX=$2`
			`EXISTING_CERT_DIR="${CERT_PREFIX}/${DOMAIN}"`
			`EXISTING_CERT_PATH="${EXISTING_CERT_DIR}/cert.pem"`
			`EXISTING_KEY_PATH="${EXISTING_CERT_DIR}/cert.key"`
update acme_vault repo - Aug-8-2019 2019-08-08 16:01:55 +00:00			`EXISTING_CHAIN_PATH="${EXISTING_CERT_DIR}/chain.pem"`
			`EXISTING_FULLCHAIN_PATH="${EXISTING_CERT_DIR}/fullchain.pem"`
add deploy class, check_cert.sh, cron setup 2018-02-26 18:01:25 +00:00
			`# variables`
			`TODAY=$(date --iso-8601)`
update for new vault api, and default set for VAULT_BIN 2021-11-02 15:40:16 +00:00			`# use VAULT_BIN if defined, otherwise, assume /usr/local/bin/vault`
Improve docs, scripts, and source .bashrc in cron - Added comprehensive documentation for all Puppet classes - Applied bash linting and made minor improvements to check_cert.sh - Updated domain issue cron to source the .bashrc file - Implemented small changes to address Puppet linting issues 2023-04-12 18:51:15 +00:00			`: "${VAULT_BIN:=/usr/local/bin/vault}"`
add deploy class, check_cert.sh, cron setup 2018-02-26 18:01:25 +00:00

			`NEWCERT_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/cert.pem"`
			`NEWKEY_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/cert.key"`
update acme_vault repo - Aug-8-2019 2019-08-08 16:01:55 +00:00			`NEWCHAIN_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/chain.pem"`
			`NEWFULLCHAIN_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/fullchain.pem"`
add deploy class, check_cert.sh, cron setup 2018-02-26 18:01:25 +00:00
			`# Get new cert info`
Improve docs, scripts, and source .bashrc in cron - Added comprehensive documentation for all Puppet classes - Applied bash linting and made minor improvements to check_cert.sh - Updated domain issue cron to source the .bashrc file - Implemented small changes to address Puppet linting issues 2023-04-12 18:51:15 +00:00			`NEWCERT=$($VAULT_BIN kv get -field=value "$NEWCERT_VAULT_PATH") \|\| exit 1`
			`NEWKEY=$($VAULT_BIN kv get -field=value "$NEWKEY_VAULT_PATH") \|\| exit 1`
			`NEWCHAIN=$($VAULT_BIN kv get -field=value "$NEWCHAIN_VAULT_PATH") \|\| exit 1`
			`NEWFULLCHAIN=$($VAULT_BIN kv get -field=value "$NEWFULLCHAIN_VAULT_PATH") \|\| exit 1`
add deploy class, check_cert.sh, cron setup 2018-02-26 18:01:25 +00:00			`NEWCERT_FINGERPRINT=$(get_fingerprint "$NEWCERT")`
			`NEWCERT_ENDDATE=$(get_enddate "$NEWCERT")`

			`# we need to bail right away if we don't have a valid new cert`
			`if [ "$NEWCERT_FINGERPRINT" == "" ]`
			`then`
			`echo "no valid new cert found!"`
Improve docs, scripts, and source .bashrc in cron - Added comprehensive documentation for all Puppet classes - Applied bash linting and made minor improvements to check_cert.sh - Updated domain issue cron to source the .bashrc file - Implemented small changes to address Puppet linting issues 2023-04-12 18:51:15 +00:00			`exit 1`
add deploy class, check_cert.sh, cron setup 2018-02-26 18:01:25 +00:00			`fi`

			`#echo "new fingerprint: $NEWCERT_FINGERPRINT"`
			`#echo "new enddate: $NEWCERT_ENDDATE"`

add better checking in check_cert.sh 2018-02-27 16:10:51 +00:00			`# Get existing cert info if it exists. if it doesn't exist, we don't need to`
			`# check it, we can just deploy.`

Improve docs, scripts, and source .bashrc in cron - Added comprehensive documentation for all Puppet classes - Applied bash linting and made minor improvements to check_cert.sh - Updated domain issue cron to source the .bashrc file - Implemented small changes to address Puppet linting issues 2023-04-12 18:51:15 +00:00			`if [ -e "$EXISTING_CERT_PATH" ]`
add better checking in check_cert.sh 2018-02-27 16:10:51 +00:00			`then`
Improve docs, scripts, and source .bashrc in cron - Added comprehensive documentation for all Puppet classes - Applied bash linting and made minor improvements to check_cert.sh - Updated domain issue cron to source the .bashrc file - Implemented small changes to address Puppet linting issues 2023-04-12 18:51:15 +00:00			`EXISTING_CERT=$(cat "$EXISTING_CERT_PATH")`
add better checking in check_cert.sh 2018-02-27 16:10:51 +00:00			`EXISTING_CERT_FINGERPRINT=$(get_fingerprint "$EXISTING_CERT")`
			`EXISTING_CERT_ENDDATE=$(get_enddate "$EXISTING_CERT")`
			`else`
			`# create destination dir if needed`
Improve docs, scripts, and source .bashrc in cron - Added comprehensive documentation for all Puppet classes - Applied bash linting and made minor improvements to check_cert.sh - Updated domain issue cron to source the .bashrc file - Implemented small changes to address Puppet linting issues 2023-04-12 18:51:15 +00:00			`if [ ! -d "$EXISTING_CERT_DIR" ]`
add better checking in check_cert.sh 2018-02-27 16:10:51 +00:00			`then`
Improve docs, scripts, and source .bashrc in cron - Added comprehensive documentation for all Puppet classes - Applied bash linting and made minor improvements to check_cert.sh - Updated domain issue cron to source the .bashrc file - Implemented small changes to address Puppet linting issues 2023-04-12 18:51:15 +00:00			`mkdir -p "$EXISTING_CERT_DIR"`
add better checking in check_cert.sh 2018-02-27 16:10:51 +00:00			`fi`
update acme_vault repo - Aug-8-2019 2019-08-08 16:01:55 +00:00			`deploy_cert "$NEWCERT" "$NEWKEY" "$NEWCHAIN" "$NEWFULLCHAIN" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH" "$EXISTING_CHAIN_PATH" "$EXISTING_FULLCHAIN_PATH"`
add better checking in check_cert.sh 2018-02-27 16:10:51 +00:00			`exit 0`
			`fi`
add deploy class, check_cert.sh, cron setup 2018-02-26 18:01:25 +00:00
			`#echo "existing fingerprint: $EXISTING_CERT_FINGERPRINT"`
			`#echo "existing enddate: $EXISTING_CERT_ENDDATE"`


			`# check that new cert is different`
			`# if it is the same, exit normally, this will be the common case`
			`if [ "$NEWCERT_FINGERPRINT" == "$EXISTING_CERT_FINGERPRINT" ]`
			`then`
Improve docs, scripts, and source .bashrc in cron - Added comprehensive documentation for all Puppet classes - Applied bash linting and made minor improvements to check_cert.sh - Updated domain issue cron to source the .bashrc file - Implemented small changes to address Puppet linting issues 2023-04-12 18:51:15 +00:00			`exit 1`
add deploy class, check_cert.sh, cron setup 2018-02-26 18:01:25 +00:00			`fi`

			`# check that new cert is newer than current cert`
			`if [ "$EXISTING_CERT_ENDDATE" \> "$NEWCERT_ENDDATE" ]`
			`then`
			`echo "existing cert expiration is older, exiting"`
Improve docs, scripts, and source .bashrc in cron - Added comprehensive documentation for all Puppet classes - Applied bash linting and made minor improvements to check_cert.sh - Updated domain issue cron to source the .bashrc file - Implemented small changes to address Puppet linting issues 2023-04-12 18:51:15 +00:00			`exit 1`
add deploy class, check_cert.sh, cron setup 2018-02-26 18:01:25 +00:00			`fi`

			`# check that new cert is not expired`
			`if [ "$NEWCERT_ENDDATE" \< "$TODAY" ]`
			`then`
			`echo "new cert is expired, exiting"`
Improve docs, scripts, and source .bashrc in cron - Added comprehensive documentation for all Puppet classes - Applied bash linting and made minor improvements to check_cert.sh - Updated domain issue cron to source the .bashrc file - Implemented small changes to address Puppet linting issues 2023-04-12 18:51:15 +00:00			`exit 1`
add deploy class, check_cert.sh, cron setup 2018-02-26 18:01:25 +00:00			`fi`

			`# if we made it this far, the cert looks good, replace it`
add better checking in check_cert.sh 2018-02-27 16:10:51 +00:00
update acme_vault repo - Aug-8-2019 2019-08-08 16:01:55 +00:00			`deploy_cert "$NEWCERT" "$NEWKEY" "$NEWCHAIN" "$NEWFULLCHAIN" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH" "$EXISTING_CHAIN_PATH" "$EXISTING_FULLCHAIN_PATH"`